Follow us

Top identity threats to watch for in 2021 and how to protect against them

The review of the top 6 threats to your identity and 11 best practices to protect against them.

Published: August 2, 2021 By Nihad Hassan

The review of the top 6 threats to your identity (Title image).

Image source – pixabay.com

Did you know that your lovely Internet shop can store your payment methods nonencrypted? Or your smart home device can be spoofed with all private detail revealed to malicious actors?

There are thousands of different methods for stealing your private data, which can threaten your identity authenticity, meaning somebody can use your digital-me.

Here, we will look at most evolving threats and learn effective ways of protecting against them.

 

What is Digital identity?

As digitalization continues to evolve rapidly, people's lives become heavily dependent on technology. In today digital age, people utilize technology to conduct most of their daily transactions. For instance, people use the internet to socialize, entertain, work, study, share files, and interact with online merchants and other governments bodies (to access public services), to name only a few.

To prove someone's identity among billions of connected users, people need official documents to ensure who they say they are. People use passports, ID cards, and other formal government documents to prove their identity in the physical world. However, in the digital world, things are different as we cannot always use the same physical ID to verify our identity. To prove someone digital identity online, there are different types of personal information that can distinguish a user online Such as:

  • Account credentials to access some online services – such as username and password,
  • A user biometrics information (fingerprint, voice and facial recognition, palm symmetry), 
  • Email address,
  • Phone number,
  • Date of birth, 
  • Social security number,
  • Digital copy of user government ID, Passport or driving license,
  • Medical records,
  • Financial information, such as bank and credit card information,
  • Social media profiles – such as a user Facebook or Twitter profiles,
  • The user computing device (e.g., computer, tablet, smartphone) digital fingerprint. A device fingerprint captures the technical specifications -and the IP address- of the computing device used by the user (both hardware and software specifications). 

Keep in mind that digital identity is not related to proving human identity only. For example, other computing devices (e.g., Internet of Things IoT devices) and applications need to confirm their identity before accessing sensitive resources or interacting with other computer systems.

Users’ digital identities are commonly stored in secure places available online to allow internet users to authenticate themselves to use the protected services/application or access the protected resources.

To store users’ credentials and regulate their access to sensitive resources, organizations utilize particular software solutions for this purpose known as “Access and Identity Management (IAM)”.

An IAM solution is a program for regulating users’ access to the protected resources; it can be either deployed on-premise or hosted in the cloud. IAM serves two primary purposes:

  1. Keep users’ login credentials, such as username and passwords. This function is also known as authentication.
  2. Track user access rights (access permission), in other words, which network resources or files within the system a user or system can access. This function is also known as authorization.

Who needs your personal information?

Digital identity contains some pieces of users' Personally-Identifying Information (PII). Such information is sensitive and unique to distinguish a person online.

This makes digital identities a lucrative target for various threat actors and other third parties that do not have malicious intents but needs to use such information for commercial gain.

Parties interested in getting online users PII:

  • Cybercriminals
  • Government agencies (security services, law enforcement)
  • Internet Service Providers (ISP)
  • Big internet service providers, such as search engines (Google, Yahoo, Bing) and social media platforms (Twitter, Facebook). These enterprises need users' PII for advertising purposes.

Top threats against digital identity in 2021

As the number of cyberattacks increases in both sophistication and number, attacks against internet users' digital identities is expected to intensify. For instance, any company wants to do online business or wants to provide some online services to its users and must keep their credentials in the form of a user account.

According to Cyber Security Ventures, cybercrime global damage costs are expected to reach 10.05 trillion by 2025 annually. The costliest attacks have resulted from data breaches attacks. A study conducted by IBM projected the average cost of a data breach reached $3.86 million in 2020.

In this section, I will cover the most trending attack vectors against users’ digital identities. In the following section, I will suggest countermeasures to stop and mitigate these attacks.

Social engineering attacks

SE attacks are still considered the most dangerous and effective cyber-attacks. In such an attack, the adversary uses psychological tricks to convince unaware users to reveal sensitive information (account credentials, financial and medical information) or violate the implemented security policies (grant access to sensitive resources).

SE attacks are too difficult to stop because they rely on manipulating the human mind, which makes typical security solutions (Firewalls, SIEM, IDS and IPS) unable to detect or prevent them.

Phishing attacks

Phishing is a type of SE attack. Phishing attacks can be classified according to the used attack channel, for example, via the internet, SMS, phone calls, or in-person.

The most noticeable phishing attack is conducted via email. In this scenario, the attacker sends an email message pretending to be a legitimate entity, such as your bank, insurance company, partner organization, or social media website. The malicious email asks the users to update their account details or request installing a program or opening a malicious file attachment.

Once opened by the target, a stealing malware is installed and used to collect target credentials and everything they type on their keyboard (This function is commonly associated with keyloggers).

Increased usage of mobile devices

As computing technology continues to advance, manufacturing small mobile devices with strong processing power becomes feasible. Users are now storing a large volume of personal information on their mobile devices than ever.

Attacking mobile systems is more accessible than computers. For example, according to Symantec, 24,000 malicious mobile apps were blocked every day in 2017 on Google Play; many users download and install such apps without investigating its developers or knowing anything about it.

Stealing mobile devices is also common and exposes sensitive information if the stolen device was not protected adequately using encryption.

Credential Stuffing

The old practice of using the same password to protect more than one account is -unfortunately- still prevalent. Cybercriminals exploit this gap by going to the darknet, purchasing massive quantities of stolen credentials from different websites, then trying the same password on other accounts belonging to the same user to gain unauthorized access to it.

Using insecure IoT devices

The number of Internet of Things (IoT) devices is growing at an explosive rate. According to Juniper Research, the number of IoT devices in 2021 will reach 46 billion. The problem with IoT is that many of them are insecure. For instance, many Chines companies manufacture cheap IoT devices for home automation and deliver them with low-security features to keep their prices low. On the other hand, many users still use the default password and username to secure their IoT devices' administration panel. This insecure practice provides an entry point for cybercriminals to conduct various malicious activities such as stealing users credentials.

Malware attacks

Malware attacks such as ransomware are evolving rapidly. Aside from encrypting victim device files and personal data, some ransomware strains, such as Maze and Sodinokibi, work to exfiltrate data from victim devices before encrypting it.

Steps to protect your digital identity online

Use privacy-enhanced search engines

To prevent search engines from tracking your browsing history and later linking it back to your real identity. It is advisable to use privacy-oriented search engines such as:

Create secure passwords to protect online accounts

Creating a complex and long password is essential to make it hard to crack using the traditional brute-force password attack technique. A good password should consist of at least 20 characters, both numbers, upper and lower letters, and symbols. A user must change its password once every three months and not use the same password again to protect any other account.

Use a password manager to store your passwords

Creating secure passwords requires using complex and lengthy passwords. The human cannot remember such long passwords, especially if a user has to remember 30 account passwords!

A password manager helps a user store its passwords in a secure encrypted vault; this encrypted database is protected using one master password a user must remember to access the secure repository. Many passwords managers help users generate secure passwords and keep some important files (such as key files) within the encrypted vault. Examples of password managers include:

Generate robust and complex passwords using KeePass Password Manager

Protect important online accounts using Two-Factor or Multi-Factor authentication

The traditional password-only authentication system is no longer enough to keep hackers out. By utilizing more than one authentication factor, a user can further protect its online accounts from hackers if they got his account password.

For example, in a 2FA scenario, a user needs to provide their password and another authentication factor, such as a one-time password sent to his phone number via SMS or email, to access the protected area. Advanced authentication systems can be configured to request three or more authentication factors such as a password, a smartphone to receive a temporary password sent via SMS, and one biometric authentication factor, such as a user fingerprint or iris scan.

Utilize data encryption

Encryption works by encrypting sensitive files and turn them into an unreadable format. A user needs to supply a password to reverse the process. Encryption is used widely in enterprise environments to protect sensitive information, including user digital identity information. 

Never go online without a VPN

To prevent hackers from intercepting your online traffic, you need to secure your internet connection using a reliable VPN service. Avoid using free VPN services because they cannot ensure your complete privacy. To have an idea about the best 10 VPN services in the USA, check our full review.

ProtonVPN allow concealing a user IP address to mask its real geographical location

Use false online identity to register in some online services

Do not provide your real identity on untrusted websites, especially your full name, phone number, and email address. Suppose you come across a website that offers some freebies and requires its visitors to register and have an account first to get the free stuff.

Do not register using your real credentials, especially your private or work email address; instead, use a free identity generator to have a false identity and use it to register on the website. Some websites that offer fake identity generators include:

Fake identity generator

Avoid public Wi-Fi hotspots

Hackers stay on public Wi-Fi, waiting for the unaware user to enter its credentials to steal it. Avoid using public Wi-Fi hotspots; however, if there is a need to use such a service (for example, in the airport), make sure to connect to your VPN services first.

Avoid oversharing your personal information on social media platforms

The first phase in any social engineering attack collects valuable information about the target to customize the attack. Hackers use Open Source Intelligence (OSINT) to collect valuable information about their targets (whether they are individuals or companies) from publicly available sources, such as public databases and social media websites.

Keep your operating system and installed applications up to date

Always make sure your operating system, security solutions (antivirus, antimalware and Firewall), and installed programs are all current.

Suppose an adversary succeeds in executing malware inside your computing device and your antivirus was up to date. In that case, there is a high probability that it can stop the malware from installing or spreading infections to connected devices across the network.

End-user cybersecurity training

Educate your staff about possible cyberattacks and how adversaries can exploit neglected things to gain unauthorized access to the target network and, consequently, to stored digital identities.

Summary

Your PII is considered the most precious asset. Taking few simple steps can help you protect your digital identity and prevent cybercriminals from exploiting it for various malicious actions. This article sheds light on the most significant threats affecting digital identity in 2021 and suggests countermeasures to stop it.

Tags: 
Threats
Author
Nihad Hassan
Nihad is an experienced cybersecurity specialist with more than ten years of proven expertise in different cybersecurity domains.

Leave a comment

click to select